Comments on: Thoughts on PatchGuard (otherwise known as Kernel Patch Protection)

By: Samuel Bronson

Samuel Bronson — Fri, 18 Jun 2010 19:19:57 +0000

I don’t really see how the hyperviser thing can actually stop kernel patching — what’s to prevent simply changing the on-disk PE image? I guess it would put a stop to the typical frivolous hotpatching that AV products do, though…

By: alienrancher

alienrancher — Tue, 06 Feb 2007 22:41:43 +0000

well, if Cutler did this aberration called PG it goes to show that doctors can get sick too.

By: Skywing

Skywing — Thu, 01 Feb 2007 17:54:33 +0000

As far as I know, Dave Cutler was indeed involved in the development of PatchGuard.

By: nksingh

nksingh — Thu, 01 Feb 2007 04:51:28 +0000

The way this system works (based on your Uninformed article about the self-decrypting execution stub) is quite a bit cleverer than something running in kernel mode should be, from a reliability standpoint.

I wonder about one thing: do you think Dave Cutler wrote this code himself? He did spend a couple of years “getting NT ported to x64 hardware,” so I could guess that this would be under his purview. I don’t know how big the core group who do the Executive and HAL are, but I have some doubts that there would be a ton of people who have the authority and stature to get such dangerous code included into a shipping kernel. Maybe I’m just hero-worshipping.

Thanks for the good post.

By: Fareed Rizkalla

Fareed Rizkalla — Wed, 31 Jan 2007 08:26:14 +0000

How can someone protect something which lies under a cover!?
If he even doesn’t know what it is ; )